Merge branch 'main' into henrymercer/sha256

Author: henrymercer

.github/workflows/__multi-language-autodetect.yml

@@ -77,7 +77,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-22.04,ubuntu-24.04,windows-2022,windows-2025,macos-14,macos-15]
+        os: [ubuntu-22.04,ubuntu-24.04,windows-2022,windows-2025,macos-14-xlarge,macos-15-xlarge]
         tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
     runs-on: ${{ matrix.os }}
 

.github/workflows/__swift-autobuild.yml

@@ -5,6 +5,10 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 ## [UNRELEASED]
 
 - Add support for SHA-256 Git object IDs. [#3893](https://github.com/github/codeql-action/pull/3893)
+
+## 4.35.5 - 15 May 2026
+
+- We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. [#3899](https://github.com/github/codeql-action/pull/3899)
 - For performance and accuracy reasons, [improved incremental analysis](https://github.com/github/roadmap/issues/1158) will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. [#3791](https://github.com/github/codeql-action/pull/3791)
 - If multiple inputs are provided for the GitHub-internal `analysis-kinds` input, only `code-scanning` will be enabled. The `analysis-kinds` input is experimental, for GitHub-internal use only, and may change without notice at any time. [#3892](https://github.com/github/codeql-action/pull/3892)
 - Added an experimental change which, when running a Code Scanning analysis for a PR with [improved incremental analysis](https://github.com/github/roadmap/issues/1158) enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. [#3880](https://github.com/github/codeql-action/pull/3880)

.github/workflows/codeql.yml

@@ -66,8 +66,8 @@ const onEndPlugin = {
 const SHARED_ENTRYPOINT = "entry-points";
 
 /**
- * This plugin finds all source files that contain action entry points.
- * It then generates the virtual `entry-points` module which imports all identifies files,
+ * This plugin finds all source files that contain Action entry points.
+ * It then generates the virtual `entry-points` module which imports all identified files,
  * and re-exports their `runWrapper` functions with suitable aliases.
  * A tiny stub file is emitted for each Action entrypoint. Each stub imports the shared bundle
  * and calls the respective entry point.
@@ -83,7 +83,7 @@ const entryPointsPlugin = {
     const toPascal = (s) =>
       s.replace(/(^|-)([a-z0-9])/gi, (_, __, c) => c.toUpperCase());
 
-    // Find the source files containing action entry points.
+    // Find the source files containing Action entry points.
     build.onStart(() => {
       const actionFiles = globSync("src/*-action{,-post}.ts");
       for (const actionFile of actionFiles) {
@@ -112,7 +112,7 @@ const entryPointsPlugin = {
       return { path: SHARED_ENTRYPOINT, namespace };
     });
 
-    // Generate the virtual `entry-points` file based on the actions we discovered.
+    // Generate the virtual `entry-points` file based on the Actions we discovered.
     // Restrict using the namespace. The path filter does not need to discriminate any further.
     build.onLoad({ filter: /.*/, namespace }, async () => {
       const wrapperTemplatePath = "entry-wrapper.js.tpl";
@@ -127,7 +127,7 @@ const entryPointsPlugin = {
       const imports = actionsSorted
         .map(
           (action) =>
-            `import * as ${action.pascalCaseName} from "./src/${basename(action.path)}"`,
+            `import * as ${action.pascalCaseName} from "./src/${basename(action.path)}";`,
         )
         .join("\n");
       const wrappers = actionsSorted
@@ -143,7 +143,7 @@ const entryPointsPlugin = {
       };
     });
 
-    // Emit entry point stubs for each action using the entry template.
+    // Emit entry point stubs for each Action using the entry template.
     build.onEnd(async (result) => {
       // Read the entry point template.
       const templatePath = "action-entry.js.tpl";
@@ -152,7 +152,7 @@ const entryPointsPlugin = {
       const makeHeader = (sourceFile) =>
         `// Automatically generated from '${templatePath}' for 'src/${basename(sourceFile)}'.\n\n`;
 
-      // Write entry point stubs for each action.
+      // Write entry point stubs for each Action.
       for (const action of actions) {
         await writeFile(
           join(

CHANGELOG.md

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "4.35.5",
+  "version": "4.35.6",
   "private": true,
   "description": "CodeQL action",
   "scripts": {
@@ -12,7 +12,8 @@
     "ava": "npm run transpile && ava --verbose",
     "test": "npm run ava -- src/",
     "test-debug": "npm run test -- --timeout=20m",
-    "transpile": "tsc --build --verbose tsconfig.json"
+    "transpile": "tsc --build --verbose tsconfig.json",
+    "update-pr-checks": "./pr-checks/sync.sh"
   },
   "license": "MIT",
   "workspaces": [

build.mjs

@@ -2,7 +2,8 @@ name: "Multi-language repository"
 description: "An end-to-end integration test of a multi-language repository using automatic language detection"
 operatingSystems:
   - ubuntu
-  - macos
+  - os: macos
+    runner-image: macos-latest-xlarge
 env:
   CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI: true
 installGo: true